fb
WSO2 5 min

Working with MyAccount in Identity Server 5.11.0

Rob Blaauboer
Rob Blaauboer
Integration Consultant & WSO2 Trainer
Working with MyAccount in Identity Server 5.11.0
Scroll

WSO2 Identity Server is the Customer Identity and Access Management solution that is part of the big three of WSO2, next to the API Manager and Enterprise Integrator.

In this blog I am going to take a look at the Identity Server’s My Account functionality. This is where the user (not the administrator) can change and maintain their own login information.

Let’s get started with MyAccount in Identity Server 5.11.0

In the latest version a lot has changed, not to mention the look and feel! I will walk you through the options that you now have and the kind of information you can maintain.

Start the product using either the .sh script (mac / Linux) or .bat file (Windows). As you can see am on Windows. After it finishes starting up it will display three URLs:

  1. Mgt console url: https://localhost:9443/carbon/
  2. My account url https://localhost:9443/myaccount
  3. Console url: https://localhost:9443/console
Working with My Account in identity server001

The first is the regular Management UI console that is used to (partly) configure the product. I say partly because a lot is done via the deployment.toml file that governs configuration files. For the (end) user this URL should not be accessible. The third option is the Console URL. This is closely tied to the Management URL and is currently in Beta. It allows configuration like the traditional Management UI and might replace the management UI altogether in upcoming versions.

Working with My Account in identity server002

That leaves of course the My Account URL. That is where we can maintain and change our data.

Logging in is a matter of entering userid and password. Since this is a new install, I only have the admin credentials. But there is an option to Create an Account,

Working with My Account in identity server003
Working with My Account in identity server004
Working with My Account in identity server005

But alas, this is not enabled by default. If I do want to self-register, I need to go and change the setting in the Management UI or Console. If you flip the switch on User Self Registration (to Enabled) and update the settings (button not shown in screenshot) you can self-register.

Working with My Account in identity server006

But before you jump in, the self-registration works with an email that is send to the email you provide. By default, the configuration of email in Identity Server is done using the deployment.toml file. This can be found at [IS-HOME]/repository/conf/deployment.toml. Make changes to use a mail address, mail gateway and password. Restart the Identity Server since the file is only read and parsed at startup. I am using mailtrap.io, please substitute your own mail credentials.

Working with My Account in identity server007

Fill in the details. All these fields are so called claims and can be configured to be mandatory.

Working with My Account in identity server008

And Presto. I’ve received an email and I can now log in

Working with My Account in identity server009

Working with My Account in identity server010
Working with My Account in identity server011

The overview shows the elements / data that we can change or maintain.  We can see that we have a number of things that we have not filled in that are optional. Let us fix that.

We will start with the image of the user. I am using a site called thispersondoesnotexist.com that will give you a picture of our tester. We cannot upload any pictures, only link to them. Alternatives are to keep initials or have a gravatar.

Working with My Account in identity server012

I am now at 100% as far as the profile goes.

Working with My Account in identity server013

But there is more

There are three more things we can see when we look at the Personal Info. Export Profile downloads the details in JSON. You get a JSON file with the information about the user.

Working with My Account in identity server014

Linked Accounts

WSO2 IS allows linking multiple accounts that a user has and switching between accounts once the user links their accounts. WSO2 IS also allows to connect a user’s federated user credentials with their WSO2 Identity Server account.

Working with My Account in identity server015

Here I’ve combined tester and admin. I can now switch between the two accounts.

Working with My Account in identity server016

Security

Let us look at the Security possibilities as the third option that we see. Note that the image of our tester changes since it will be retrieved every time a refresh is done. The site we use generates a new image when accessed.

Working with My Account in identity server017

We have the possibility to change a password. What is a bit strange is the requirement to enter the current password. We are already logged in! On the other hand, if you leave the PC unattended, without the password entry someone could change the password.

Working with My Account in identity server018

In case of a forgotten password the administrator of IS can of course reset it but there are also two other possibilities:

  1. Security questions
  2. Email recovery
Working with My Account in identity server019

These questions can be changed by the administrator (both language and actual question). The (dummy) answers are in plain text at this moment. Changing the email address updates your record.

Working with My Account in identity server020

However, the recovery is not enabled by default.

Working with My Account in identity server021

In order to enable it, you need to enable the settings either in the Management UI or in the Console. Here you will find a large number of settings with regards to account recovery. I am only showing the first three.

Working with My Account in identity server022
Working with My Account in identity server023

Now we are able to recover. When both security questions are answered,  we can reset.

Working with My Account in identity server024

Using email sends out an email to the user.

Working with My Account in identity server025
Working with My Account in identity server026
Working with My Account in identity server025

Multifactor Authentication

In order to add an additional level of security you can add multifactor authentication to the Identity Server. In this case you will need to provide or input a value that is tied to your mobile device or for instance a fido key like Yubico’s keys. This requires some configuration by the administrator in case of the SMS service (you need to configure an SMS gateway / provider) as well as the Authenticator App (also configuring the one you would like to use). The Fido support is out of the box, you simply insert and register a fido key with your account.

Working with My Account in identity server027

Of course, you do need to configure the service providers that you want to enable using the fido keys, like you would SMS and Authenticator as well.

Working with My Account in identity server028

Active IPD sessions show the sessions with the IDP on your account. The consent management page will show the consent you have given to share information. This as an integral part of GDPR support. Consent can be given and revoked.

Admin vs. regular user

Is there a difference between what an admin user sees and what a regular user sees? In previous versions there was a difference because the admin user would see the human tasks (when enabled). In this version approvals / Human tasks are in the console application that is available on

Conclusion

The new My Account functionality offers a fresh look on the user’s data and the possibility to maintain it. The fresh interface gives it a modern feel and the fact that it is only showing the users data makes a lot of sense.